Verticals Targeted: Government, Military, Various
Executive Summary
PicassoLoader, a downloader, was observed targeting government, military, and civilian entities in Ukraine and Poland. CERT-UA attributed this activity to GhostWriter.
Key Takeaways
- PicassoLoader is a downloader used to target government, military, and civilian entities in Ukraine and Poland.
- The attacks occurred between April 2022 and July 2023.
- The objective of the attacks appears to be theft of sensitive data and gaining persistent remote access to victim machines.
- CERT-UA attributed the attacks to the threat actor group known as GhostWriter.
What is PicassoLoader?
PicassoLoader, a downloader, was observed targeting government, military, and civilian entities in Ukraine and Poland from April 2022 to July 2023. Cisco Talos recently reported on this activity. CERT-UA attributed the more recent attacks to the threat actor group known as GhostWriter. The objective of the attacks appears to be theft of sensitive data and gaining persistent remote access to victim machines.
The campaign leverages phishing lures and decoy documents to start the multistage PicassoLoader infection chain. The decoy documents are usually in Excel or PowerPoint file formats containing VBA code and are used in an attempt to trick recipients into enabling macros.
The VBA code drops an .LNK or .EXE file. The .LNK launches a DLL downloader. The downloader retrieves a JPG file with an embedded encrypted downloader. PicassoLoader is used to deliver the final payloads, which in the most recent attacks included Cobalt Strike Beacon and njRAT.
Who is GhostWriter?
GhostWriter, also known as UNC1151, TA445, UAC-0057, and PUSHCHA, is a Belarusian threat actor active since at least 2017. The group is thought to be affiliated with the Belarusian government. GhostWriter is likely based in Minsk and has historically carried out espionage and information operations targeting government and private sector entities. Their targets are primarily based in Ukraine, Lithuania, Latvia, Poland, and Germany. GhostWriter’s TTPs include spearphishing, WhisperGate, and a modified version of MicroBackdoor.
IOCs
PolySwarm has multiple samples of PicassoLoader.
F00939201f7e77221e94e917a8e34c3d2143324e02fdf35058526d870a0023a0
4d9cca1d75d4691e794dfe9efb9eef6e9e64b4e978ad17831b459d4bb6722829
2c5ba56a41f40bac2f21065fb9883545ef8d359883cb7bc351c481cb9542e104
44fd895174a7c1c0019fc95bb04201106dc165704c70e902e3de58db98f03c7e
30d46a740e2677c8fee383c2a4762561a10c66c5b99215262e42bfabf6bfb1aa
924d3589d642e8fd65746dc156ff9f104d43114a04ea9509f51ee6a439d1915b
Bc92a5b1c4205ea1fbfec9144b8aab485e095142c7105c9d616b089ec668f198
Ad8e3ebd496fb4d97e5075adb4f2f1b91195cca059800d0acd182a07698c13b6
0f3bdbc64446555c6ff611b02f2e64250fcaf39b78237ae4cca7c74d94731b32
35d1e819d2ac2535f0aa9e2294570135f37519386872c415e326146e931b8fb9
You can use the following CLI command to search for all PicassoLoader samples in our portal:
$ polyswarm link list -f PicassoLoader
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports